CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. – €3,000,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Spain fined Caixabank 3 million euros for using people's data to assess creditworthiness without proper consent. The bank collected information from individuals who were not their customers to create financial profiles and offer services like loans. This case highlights the importance of obtaining clear consent before using personal data for profiling.
What happened
Caixabank used individuals' data to create financial profiles and offer services without obtaining proper consent.
Who was affected
Individuals who were included in Caixabank's advertising campaigns and had their data used for credit assessments.
What the authority found
The Spanish authority ruled that Caixabank did not have a valid legal basis for processing personal data, as they failed to obtain effective consent.
Why this matters
This decision emphasizes the need for companies to clearly inform individuals about how their data will be used, especially for profiling. Businesses should ensure they have explicit consent before processing personal data for marketing or credit assessments.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000,000 on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. An individual had filed a complaint against the controller. The reason was that Caixabank had requested information about him from a company although, the latter has not been a customer of Caixabank since 2014 and that he was included in an advertising campaign to offer him a pre-grant credit. Caixabank had used individuals' data to assess their creditworthiness without their consent. This was used to create financial profiles of the data subjects and to advertise certain financial services (e.g. credit cards or loans) to them on this basis. In doing so, the DPA found that the controller had not obtained effective consent from the data subjects. It is true that the data subjects had at one point given consent for their data to be processed by the entire CaixaBank Group. However, the controller had not adequately informed the data subjects about the data processing, including profiling. For example, the controller had only provided data subjects with general information about the various profiling processing operations, so data subjects could not know exactly what the processing they had consented to consisted of.
Related Enforcement Actions (1)
Other enforcement actions involving CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. in ES
Details
Fine Date
21 October 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€3,000,000
Enforcement Tracker ID
ETid-884
About this data
Cite as: Cookie Fines. CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. - Spain (2021). Retrieved from cookiefines.eu
Last updated: